EFF and 57 organizations, including American Civil Liberties Union, R Street, and NAACP, spoke out against warrantless searches of American citizens in a joint letter this week demanding reforms of the so-called “backdoor search” loophole that exists for data collected under Section 702.

The backdoor search loophole allows federal government agencies, including the FBI and CIA, to, without a warrant, search through data collected on American citizens.

The data is first collected by the intelligence community under a section of law called Section 702 of the FISA Amendments Act of 2008, which provides rules for sweeping up communications of foreign individuals outside the United States. However, the U.S. government also uses 702 to collect the communications of countless American citizens and store them in a database accessible by several agencies.

EFF and many others believe this type of mass collection alone is unconstitutional. The backdoor search loophole infringes American rights further—allowing agencies to warrantlessly search through 702-collected data by using search terms that describe U.S. persons. These terms could include names, email addresses, and more.

This practice needs to end. And a proposal before Congress to require warrants on backdoor searches used only in criminal investigations—as recently reported by the New York Times—does not go far enough.

As EFF, and several other organizations, said in an Oct. 3 letter:

“Applying a warrant requirement only to searches of Section 702 data involving ‘criminal suspects,’ is not an adequate solution to this problem. Most fundamentally, it ignores the fact that the Fourth Amendment’s warrant requirement is not limited to criminal or non-national security related cases.”

Further, carving out a warrant requirement solely for criminal investigations ignores the broader umbrella term under which the FBI conducts many searches—that of “foreign intelligence.” Because the FBI conducts investigations with both criminal and foreign intelligence elements, the agency could predictably bypass backdoor warrant requirements by ascribing their searches to foreign affairs matters, rather than criminal.

Warrantless searches of American communications may especially impact those communities that may be speaking frequently to family outside of the United States of which have historically faced unjust surveillance. As we wrote: “Existing policies make it far too easy for the government to engage in searches that disproportionately target Muslim Americans and immigrants with overseas connections based merely on the assertion of a nebulous ‘foreign intelligence’ purpose.”

These searches are happening. In 2016, the CIA and NSA reported they conducted 30,000 searches for information about U.S. persons. That number does not include metadata searches by the CIA, a related problem that can also be fixed by Congress before Section 702 sunsets in December.

Backdoor searches of 702-collected data about U.S. citizens and residents should require a warrant based on probable cause. Congress can protect the rights of countless Americans by closing this loophole.

If the federal government wants to compel an online service provider, like Yahoo or Google, to turn over your email, they need a warrant. That’s the industry-accepted best practice, implemented by nearly every major service provider. More importantly, it’s what the Fourth Amendment requires.

The Securities and Exchange Commission (SEC), the federal agency charged with enforcing federal securities laws, seems to think it falls outside the warrant requirement. In a civil case currently pending in Maryland, the agency asked a federal judge to compel Yahoo to comply with an administrative subpoena—read, not a warrant—it sent to the company, which would require the company to turn over the emails of one of its users. An administrative subpoena lacks the privacy safeguards of a warrant, including a higher standard justifying government access (i.e., probable cause) and prior review by a judge.

Yahoo fought back, refusing to comply with the subpoena and opposing the SEC’s motion. Last week, EFF, joined by our friends at CDT, filed an amicus brief in support of Yahoo. Our brief made a simple point: if the federal government wants to compel a third-party provider to turn over a user’s email, it needs a warrant. That rule applies to the SEC, just as any other federal or state government agency.

The SEC’s position isn’t a new one. They have long claimed a right to access email content from providers without a warrant. In fact, the SEC has been one of the primary obstacles to passing an update to the Electronic Communications Privacy Act (ECPA), the federal law that governs government access to emails and other content stored in the cloud. But this is the first time (as far as we know) that the SEC has tested its theory in court.

Fortunately, even though the SEC has so far been successful in blocking attempts to amend ECPA, the agency still has to contend with the Constitution. As we explained in our brief, because users have a reasonable expectation of privacy in their email stored with online service providers (a point SEC wisely conceded), the Fourth Amendment requires the agency to obtain a warrant—or to rely on an exception to the warrant requirement—in order to intrude upon that privacy.

The SEC argues that, as a civil law enforcement agency, it lacks the power to obtain a warrant by itself. But as we pointed out, whenever there is a criminal component to an investigation—as is the case here—the SEC can coordinate with the Justice Department to obtain a warrant. Apparently, the SEC is concerned that, in purely civil cases, when it can’t work with the Justice Department to obtain a warrant, companies or individuals may be able to shield their emails from disclosure. But civil litigation offers a variety of levers for the SEC to pull in order to obtain the same or similar information, without compelling its disclosure from a third-party service provider.

Ultimately, our constitutional privacy rights shouldn’t be diminished just because the SEC wants to conduct its investigations more efficiently. The hearing in the case is scheduled for Friday, June 30. We hope the court will send a clear message to government agencies: if you want to compel a third-party provider to turn over email content, get a warrant.

The federal government thinks it should be able to use one warrant to hack into an untold number of computers located anywhere in the world. But EFF and others continue to make the case that the Fourth Amendment prohibits this type of blanket warrant. And courts are starting to listen.

Last week, EFF pressed its case against these broad and unconstitutional warrants in arguments before a federal court of appeals in Boston, Massachusetts. As we spelled out in a brief filed earlier this year, these warrants fail to satisfy the Fourth Amendment’s basic safeguards.

The case, U.S. v. Levin, is one of hundreds of prosecutions resulting from the FBI’s 2015 seizure and operation of a child pornography site “Playpen.” While running the site, the FBI used malware—or a “Network Investigative Technique” (NIT), as they euphemistically call it—to infect computers used to visit the site and then identify those visitors. Based on a single warrant, the FBI ended up hacking into nearly 9,000 computers, located in at least 26 different states, and over 100 countries around the world.

But that’s unconstitutional. One warrant cannot allow law enforcement to hack into thousands of computers wherever they are in the world. As law enforcement defended these blanket hacking warrants and pushed for federal rule changes to allow them—and as Congress stood by and idly let this rule change go into effect—we’ve been fighting in court to make sure that the Fourth Amendment’s protections don’t disappear as law enforcement begins to rely on hacking more and more.

And there are signs that courts are beginning to recognize the threats to privacy these warrants pose. Earlier this year, a federal magistrate judge in Minnesota found [PDF] that the warrant the FBI relied on in the Playpen case—the same warrant we were arguing against in Levin—violated the Fourth Amendment.

In the February report, Magistrate Judge Franklin Noel described how the government’s NIT fails the Fourth Amendment’s requirement that warrants describe a particular place to be searched, agreeing with arguments we’ve made to courts in other Playpen prosecutions. The warrant in this case fails to satisfy that requirement because, at the time the warrant was issued, “it is not possible to identify, with an specificity, which computers, out of all of the computers on earth, might be searched pursuant to this warrant,” Noel wrote.

He also explained how the warrant essentially flips the Fourth Amendment’s particularity requirement on its head, searching and then identifying specific computers instead of identifying specific computers and then searching them. “Only with [information gathered through the use of malware] could the Government begin to describe with any particularity the computers to be searched; however, at that point, the computer had already been searched.”

It’s encouraging that courts are beginning to agree with arguments from us and others that these warrants far exceed the Fourth Amendment’s limits on government searches.

As the Playpen prosecutions begin to work their way up to the courts of appeals, the stakes become higher. The decisions these courts reach will likely shape the contours of our constitutional protections for years to come. We’ve filed briefs in every appeal so far, and we’ll continue to make the case that unfamiliar technology and unsavory crimes can’t justify dispensing with the Fourth Amendment’s requirements altogether.